{
  "name": "Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks",
  "slug": "project-ak47-uncovering-a-link-to-the-sharepoint-vulnerability-attacks",
  "description": "Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the exploitation of recent SharePoint vulnerabilities and is believed to be financially motivated. CL-CRI-1040 was previously associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client. The analysis reveals a complex threat landscape with potential ties to both cybercriminal and nation-state actors.",
  "published": "2025-08-06T06:15:17+00:00",
  "created_at": "2025-08-06T06:15:17+00:00",
  "modified_at": "2025-08-06T07:06:57+00:00",
  "created_at_opencti": "2025-08-06T06:15:17+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-06",
    "CVE-2025-49704",
    "CVE-2025-49706",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "ak47 ransomware",
    "ak47c2",
    "backdoor",
    "lockbit",
    "lockbit 3.0",
    "project ak47",
    "ransomware",
    "sharepoint",
    "toolshell",
    "warlock",
    "warlock client",
    "x2anylock"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "update.updatemicfosoft.com"
      },
      {
        "id": "",
        "name": "f185c91e62ca38494d7f125492058028028769a86ed169bd2fb051e43fd9fb70"
      },
      {
        "id": "",
        "name": "e7a7cd756dfeacbdc8caa0d431f9192cb10d62da119b138fca65276ff4ab6958"
      },
      {
        "id": "",
        "name": "a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e"
      },
      {
        "id": "",
        "name": "7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8"
      },
      {
        "id": "",
        "name": "79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73"
      },
      {
        "id": "",
        "name": "7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5"
      },
      {
        "id": "",
        "name": "6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619"
      },
      {
        "id": "",
        "name": "5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e"
      },
      {
        "id": "",
        "name": "4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f"
      },
      {
        "id": "",
        "name": "1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc"
      },
      {
        "id": "",
        "name": "f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3"
      },
      {
        "id": "",
        "name": "f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574"
      },
      {
        "id": "",
        "name": "dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de"
      },
      {
        "id": "",
        "name": "d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d"
      },
      {
        "id": "",
        "name": "ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b"
      },
      {
        "id": "",
        "name": "c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94"
      },
      {
        "id": "",
        "name": "b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0"
      },
      {
        "id": "",
        "name": "abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1"
      },
      {
        "id": "",
        "name": "7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d"
      },
      {
        "id": "",
        "name": "55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17"
      },
      {
        "id": "",
        "name": "3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550"
      },
      {
        "id": "",
        "name": "257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505"
      },
      {
        "id": "",
        "name": "1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192"
      },
      {
        "id": "",
        "name": "0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22"
      },
      {
        "id": "",
        "name": "24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf"
      },
      {
        "id": "",
        "name": "011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb"
      }
    ],
    "malware": [
      {
        "id": "d85f9a25-a3c2-4fea-b90d-fe48b1834126",
        "name": "X2ANYLOCK",
        "slug": "x2anylock"
      },
      {
        "id": "c75e7936-f07d-4187-a736-851c7329a43a",
        "name": "AK47 ransomware",
        "slug": "ak47-ransomware"
      },
      {
        "id": "afdc2182-b25b-44e3-a6cd-0d6feb765dbd",
        "name": "AK47C2",
        "slug": "ak47c2"
      },
      {
        "id": "72c27936-41b1-48fb-b970-ca0db6ee197a",
        "name": "Warlock",
        "slug": "warlock"
      },
      {
        "id": "legacy:malware:595b0f69ff5ae12b",
        "name": "LockBit 3.0",
        "slug": "lockbit-30"
      }
    ],
    "intrusion_sets": [
      {
        "id": "af275e3c-7a64-4cdb-a858-1136adceb288",
        "name": "Storm-2603",
        "slug": "storm-2603"
      }
    ],
    "attack_patterns": [
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-53771"
      },
      {
        "id": "",
        "name": "CVE-2025-53770"
      },
      {
        "id": "",
        "name": "CVE-2025-49706"
      },
      {
        "id": "",
        "name": "CVE-2025-49704"
      },
      {
        "id": "",
        "name": "CVE-2025-31324"
      },
      {
        "id": "",
        "name": "CVE-2024-53870"
      },
      {
        "id": "",
        "name": "CVE-2025-0283"
      },
      {
        "id": "",
        "name": "CVE-2025-0282"
      },
      {
        "id": "",
        "name": "CVE-2024-8299"
      },
      {
        "id": "",
        "name": "CVE-2024-7587"
      },
      {
        "id": "",
        "name": "CVE-2024-1182"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/",
    "https://otx.alienvault.com/pulse/68930f15831806a6887354c8"
  ]
}